network security graphic

A Johns Hopkins University computer security team says it is raising concerns about how easily hackers could cause consumer unmanned aircraft systems (UAS) to ignore their human controllers and crash.

Lanier Watkins is a senior cyber security research scientist at the university’s Whiting School of Engineering. His master’s degree students are required to apply what they’d learned about information security by completing a capstone project. Watkins suggested they do wireless network penetration testing on a consumer UAS and, using the vulnerabilities they found, develop exploits to disrupt the process that enables a drone’s operator on the ground to manage the flight.

“We found three points that were actually vulnerable, and they were vulnerable in a way that we could actually build exploits for,” Watkins explains. “We demonstrated here that not only could someone remotely force the drone to land, but they could also remotely crash it in their yard and just take it.”

In accordance with university policy, the researchers described their drone exploit findings in a vulnerability disclosure package and sent it earlier this year to the maker of the drone that was tested. By the end of May, the company had not responded to the findings. 

Watkins says he hopes the studies serve as a wake-up call so that future drones will leave the factories with enhanced security features already on board and not rely on later bug fixes.

The researchers have begun testing higher-priced drone models to see if these devices are similarly vulnerable.

OK. So honestly I don’t think that as reported this story is headline worthy. I don’t find this particularly surprising or concerning. But I get that a lot of the public might. It was an academic exercise and they set their sights pretty low.The three exploits (polite for hacks) described in the article are brute force attacks which simply overwhelmed the drone. Depending on the exploit the drone made  “an uncontrolled landing” or an emergency landing.
I do not think that Parrot should have done better or more. The BeBop they used as a test sled is a consumer product and at $500 it’s basically a toy. Hardening the BeBop would add costs that would deliver little or no value to the consumer. A lot more of these will crash due to incompetence and bad luck then as a result of some guy running around with his $40 drone downer. And then there is always a shotgun.
The larger point is that AUDS and other interdiction tools/weapons being tested by the FAA and the DoD are built to exploit these and other vulnerabilities. There is a plethora of these solutions in part because at this very basic level they are easy to build. From the perspective of protecting airports, nuclear facilities and the like it is actually in the public interest for there to be weak protection on consumer models.
Of much greater concern is the ability to take over aircraft like armed police drones, surveillance units, SAR units and other “official” vehicles involved in public safety functions like law enforcement, surveillance and first response. And to hack data links being used to stream in-flight data to the cloud for commercial processing. These are the areas that I would much prefer that our best and brightest focus on.



This site uses Akismet to reduce spam. Learn how your comment data is processed.